DNS cache poisoning attacks -- are they real?

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You forgot the most important requirement, you have to be using
insecure, unpatched DNS code (old versions of BIND, old versions of
Windows, etc). If you use modern DNS code and which only follows
trustworthy pointers from the root down, you won't get hooked by
this. A poisoned DNS cache is irrelevant if your resolver never
queries servers with poisoned caches.  If you do, you should
fix the your code.

On the other hand, there are a lot of reasons why a DNS operator may
return different answers to their own users of their resolvers.  Reverse
proxy caching is very common. Just about all WiFi folks use cripple
DNS as part of their log on. Or my favorite, quarantining infected
computers to get the attention of their owners.

But it shouldn't matter what other DNS operators do, as long as your
DNS code doesn't use them to resolve names without a pointer from
the root (although you may not be able to log on to some WiFi hotspots).

Why Microsoft didn't make "Secure cache against pollution" the default
setting, I don't know.

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]